Wednesday, June 24, 2015

NIST Releases Guidelines for the Security of Controlled Unclassified Information

The National Institute of Standards and Technology (NIST) has published the final version of its guidelines for federal agencies on the securing of sensitive government information stored by contractor’s and other non-federal organizations.
“Contractors routinely process, store and transmit sensitive federal information to assist federal agencies in carrying out their core missions and business operations,” NIST said.
“Federal information is also shared with state and local governments, universities and independent research organizations.”
As such, Executive Order 13556 established the Controlled Unclassified Information (CUI) Program to standardize the way the executive branch handles unclassified information that requires protection, such as personally identifiable information.
“Executive departments and agencies (agencies) employ ad hoc, agency-specific policies, procedures, and markings to safeguard and control this information, such as information that involves privacy, security, proprietary business interests, and law enforcement investigations,” the Executive Order states.
“This inefficient, confusing patchwork has resulted in inconsistent marking and safeguarding of documents, led to unclear or unnecessarily restrictive dissemination policies, and created impediments to authorized information sharing. The fact that these agency-specific policies are often hidden from public view has only aggravated these issues.”
Information which qualifies as CUI is defined by the National Archives and Records Administration (NARA), which administers the program based on laws, regulations, and government-wide policies.
NARA worked with NIST to develop guidelines for protecting this information, and the two organizations drafted the guidelines for protecting CUI which were published for public comment last fall.
The document Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations (NIST Special Publication 800-171) is the final version of those guidelines.
“The new guidelines are designed for federal employees with responsibilities for information systems development, acquisition, management and protection,” NIT said.
“The requirements apply to all components of non-federal information systems and organizations that process, store or transmit CUI, or provide security protection for those components.”
The guidelines are based in part on existing security requirements for federal information systems which can be found in two of NIST’s foundational information security documents, the Federal Information Processing Standard (FIPS)200 and the Security and Privacy Controls for Federal Information Systems and Organizations (NIST SP 800-53).
“NIST SP 800-171 is critical to our strategy to strengthen needed protections for CUI,” says John Fitzpatrick, director of NARA’s Information Security Oversight Office.
“Together with NARA’s recently-proposed CUI regulation and a planned Federal Acquisition Regulation clause, we will bring clarity and consistency to the handling of CUI across government.”

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.